Skip to content
Snippets Groups Projects
Commit 668fc554 authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[SECURITY] Show only explicitly configured page tree information 

Backend users were able see page tree items without having access:
- in case no DB mounts were configured for a particular user
  and page permissions configured to allow "everybody"
- in case DB mounts were pointing to pages, but actually not having
  any permission configured for these pages (user/group/everybody)

It was not possible to manipulate any of the affected pages.

Resolves: #104397
Releases: main, 13.3, 12.4, 11.5
Change-Id: I52079c8cef3d78946083403adb23a3e1a706c652
Security-Bulletin: TYPO3-CORE-SA-2024-012
Security-References: CVE-2024-47780
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/86497


Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
parent daad8944
Branches
Tags
Hide whitespace changes
Inline Side-by-side
Showing
with 70 additions and 19 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment